Overcoming Advanced Evasion of Malware Detection


Malware evasion tactics are now fully present in the arsenal of threat actors. It’s essential that any threat detection technology remain hidden from malware to be able to effectively detect advanced attacks. Equally important, the technology must be able to detect malicious objects that don’t have signatures and to identify malicious capabilities — even if the malicious code hasn’t yet executed. SonicWall Capture Advanced Threat Protection (ATP) with Real-Time Deep Memory Inspection™ (RTDMI) technology offers an advanced layered defense to stay ahead of advanced evasive threats.

It’s this technology stack that SonicWall security services, clients and devices plug into for advanced malware detection and protection. From Next-Generation Firewall (NGFW), to Email Security, to Capture Client and more, Capture ATP is exposed to the latest evasive threats from around the globe, all day, every day.

Overview of SonicWall Capture ATP

To protect customers against the increasing dangers of zero-day threats, SonicWall Capture ATP Service detects and can block advanced threats at the gateway until verdict (on select devices and services). This service is the industry’s first advanced threat-detection offering that combines multilayer sandboxing, including full system emulation and virtualization techniques, to analyze suspicious code behavior that can block until verdict.

Because of the increased focus on developing evasion tactics for malware, it’s important to apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

SonicWall’s award-winning multi-engine sandbox platform efficiently discovers what code wants to do — from the application, to the OS, to the software that resides on the hardware. This approach includes the ability to analyze code within the memory of a system using RTDMI.

RTDMI was specifically designed to provide complete visibility into malware behavior that other technologies miss, while remaining hidden from the malware itself. Combined with the rest of the Capture ATP technology stack, it offers a uniquely isolated inspection environment that simulates an entire host, including the CPU, system memory and all input/output devices.

This approach to advanced malware detection allows SonicWall to observe all the malicious actions engineered into a piece of malware, without being visible to the malware. Detecting evasive tactics is essential and complements our ability to detect malicious network, memory, settings, and other malware actions and changes.

Common malware evasion tactics

One of the key characteristics of advanced malware is its level of stealth and ability to evade detection. In addition to defeating signature-based detection products and behavior-based detection tools, there are dozens of these evasion techniques advanced malware uses to avoid detection. The table below lists the basic categories of these tactics.

Evasion Tactic Tactic DescriptionTactic Result
Stalling DelaysTactic remains idle to defeat timer-based recognitionMost legacy sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS.
Action-Required DelaysTactic delays malicious activity pending a specific user action (e.g., click mouse, open or close a file or app).Conventional sandbox will not detect malware waiting on user action.
Intelligent DelaysTactic discovers sandbox and suspends all malicious activities.Malware waits until it has completed penetration of host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers
FragmentationTactic splits malware into fragments, which only execute when reassembled by the targeted system.As legacy sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.
Return-Oriented Programming (ROP) EvasionTactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code.ROP evasions delegates the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.
RootkitsA rootkit is an application (or set of applications) that hides malicious code in the lower OS layers.A conventional sandbox does not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Espionage, ransomware and other advanced threats are growing ever more sophisticated. The only way to defeat these types of malware is to implement tools that have been designed specifically to detect known evasion techniques, easily adapt to new ones and work with your existing security stack. SonicWall leverages and maximizes your existing investment in security systems, and with SonicWall Capture ATP with RTDMI, you’ll be ready to defeat today’s sophisticated threats. Click here to learn more.

SonicWall Staff